linux-malware-detect
linux-malware-detect copied to clipboard
Published
20 hours ago •
rfxn
rfxn
Monitor Summary missing detection name and path
Hi, i use Maldet to monitor paths which seem to be working fine, about 50% of the time the hit list in the monitor summary email is missing the name of the detection name and the path.
Here a example:
HOST: web.*******.net SCAN ID: 170409-1617.15658 STARTED: Sun Apr 9 16:02:13 2017 TOTAL FILES: 1 TOTAL HITS: 1 TOTAL CLEANED: 0 WARNING: Automatic quarantine is currently disabled, detected threats are still accessible to users! To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run: /usr/local/sbin/maldet -q 170409-1617.15658 FILE HIT LIST: ts/SharedResources/press.php =============================================== Linux Malware Detect v1.6Am able to get the full information about it by greping event_log
Apr 09 16:10:27 host maldet(17495): {hit} malware hit {HEX}php.base64.v23au.186 found for /home/*Removed*/public_html/Scripts/Widgets/SharedResources/press.phpRyan
After more than two years seems the bug is stil presents :disappointed:
Here my example:
HOST: web***.***********.com
SCAN ID: 191105-1500.8014
STARTED: Nov 5 2019 14:48:47 +0100
MODE: inotify digest
ELAPSED: 0d:0h:11m:15s
TOTAL FILES: 1
TOTAL HITS: 1
TOTAL CLEANED: 0
WARNING: Automatic quarantine is currently disabled, detected threats are still accessible to users!
To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run:
/usr/local/sbin/maldet -q 191105-1500.8014
FILE HIT LIST:
AV}Multios.Trojan.CryptocoinMiner-6448864-1 : /home/**********/www/virusz.zip
===============================================
Linux Malware Detect v1.6.4 < [email protected] >
And of course, those files are present in the event_log (i'll post everything that is happened in that second):
Nov 05 14:55:21 web201 maldet(4654): {hit} malware hit {CAV}Multios.Trojan.CryptocoinMiner-6448864-1 found for /home/web/**********/vhosts/test/virusz.zip
Nov 05 14:55:21 web201 maldet(4654): {hit} malware hit {CAV}Multios.Trojan.CryptocoinMiner-6448864-1 found for /home/web/**********/www/imamonster
Nov 05 14:55:21 web201 maldet(4654): {hit} malware hit {CAV}Multios.Trojan.CryptocoinMiner-6448864-1 found for /home/web/**********/www/virusz.zip
Nov 05 14:55:21 web201 maldet(4654): {mon} scanned 3 new/changed files with clamav engine
Nov 05 14:55:21 web201 maldet(4654): {mon} inotify log file trimmed
Nov 05 14:57:21 web201 maldet(4654): {mon} warning clamd service not running; force-set monitor mode file scanning to every 120s
Honestly, i don't know what info should be usefull for debug, but I'll be happy to provide everything needed.
Francesco
